Roger Perkin

Learn Network Automation

You are here: Home / Network Automation / Ansible Network Automation / Ansible Vault Tutorial

If you have been using Ansible for a while you will have wondered if there is a way to encrypt password information?

There is it’s called Ansible Vault.

ansible vault tutorial bank vault image

In this Ansible Vault tutorial I will show you how to keep all your password and sensitive data in encrypted files within Ansible.

For information this tutorial is being performed within Ubuntu 18.04 Desktop.

What is Ansible Vault?

Ansible Vault is a brilliant feature within Ansible that enables to you keep all your passwords and sensitive data in encrypted files as opposed to having it in plain text within playbooks or in vars. You either point Ansible Vault to the location of a password file or you can get Ansible to prompt for the password each time you run a playbook.

If you are looking for more information on Ansible Network Automation I have a course which will take you from zero to hero with Ansible.

ansible network automation course

Ansible Vault Best Practices

There are a few steps to setting up an Ansible vault.

  1. Create vault file using ansible-vault encrypt
  2. Specify vault password
  3. View encrypted file using ansible-vault view

Lets’s step through these steps in more detail.

Note: you do not need to install ansible-vault – it is part of the core code within Ansible

ansible-vault create

First we are going to need a file that we are going to encrypt. This can either be a new file created in the vault process or we can encrypt a file that already exists. Let’s look at a new file first.

Enter the command ansible-vault create <filename>.yml

ansible-vault create

In this example I created a file called test-vault.yml

I entered some data in the file and saved it.

Now if we look at the file

cat test.yml

ansible vault encrypted file

You can see that the contents are encrypted

If we want to view that file we just enter the command:
ansible-vault view test-vault.yml

You will be prompted for a password and then you can see the contents of the file.

ansible vault view

What if you wanted to encrypt a file that already exists? Simple.

ansible-vault encrypt

So you already have all your passwords and sensitive information in a file – in my case it is in ./group_vars/all.yml

This is the file

ansible_user: "roger"
ansible_ssh_pass"cisco"
ansible_network_os: "ios"

I am going to encrypt it and then run a playbook that needs that password information and see what happens.

First we will encrypt the file with the ansible-vault encrypt ./group_vars/all.yml command

ansible-vault encrypt ./group_vars/all.yml

You are prompted for a password and the file is encrypted.

To verify if we view the file we just see the encrypted data

ansible-vault encrypt

Using Ansible Vault in Playbook Example

Now I have a playbook called backup.yml which will need to access the data in /group_vars/all.yml

So let’s see what happens when we run the playbook?

We get an error: Attempting to decrypt but no vault secrets found

attempting to decrypt but no vault secrets found ansible

The reason for this is the all.yml file is now encrypted and you need a password to access the data, however we did not tell Ansible how to get the password.

You can do this in a few ways

  • Prompt for the password during the playbook run
  • Specify the location to a password file during the playbook run
  • Specify the location to the password in ansible.cfg

Let’s look at all 3 options

Prompt for the password during the playbook run

Just add this to the end of your playbook run command e.g 

ansible-playbook backup.yml --ask-vault-pass

To the end of the playbook command and you will be prompted to enter a password on playbook run.

Using Ansible Vault with a Password File

You can also have another file which contains your password. This file does need to be secured either by on machine permissions and also kept out of your Git repository.

You then specify where this file is with this command 

ansible-playbook backup.yml --vault-password-file vault-pass.txt

The contents of vault-pass.txt just needs to contain your password.

Specify the location of a password file in ansible.cfg

You can also specify the location of this file in the ansible.cfg file 

vault_password_file = vault-pass.txt

Decrypting Encrypted Files

If you no longer want your file to be encrypted you can easily decrypt it using the folling code 

ansible-vault decrypt <filename>

You will be prompted for the password you originally used to encrypt the file and it will then be unencrypted.

Changing the Password of Encrypted Files

If you want to change the password of your encrypted file you can use the command 

ansible-vault rekey <filename>

You will be prompted for your original password and then your new password.

Note: you can also perform the encrypt, decrypt or rekey operation on multiple files at the same time.

Ansible is just one tool in the world of Network Automation, so I hope this tutorial has been helpful and please check out some other relevant posts below.

Other Ansible related posts:

Ansible Documentation – https://docs.ansible.com/ansible/latest/user_guide/vault.html

Frequently Asked Questions

How do you secure secrets in Ansible?

Ansible Vault allows you to secure your secrets i.e passwords, API keys and sensitive information by encrypting them. Then to access the secrets you either have to provide the encryption password when running the playbook or store it in a secure place that the playbook can reference.

What is Ansible Vault?

Ansible Vault is a feature within Ansible that allows you to encrypt passwords and sensitive data rather than storing it all in plain text within a playbook or vars files. The encrypted data can be retrieved by supplying the password during a playbook run

Where is the Ansible Vault file?

Your vault file can be anywhere you want it to be, you simply encrypt the file you want to secure by using the command ansible-vault encrypt and then supply a password.

How do I decrypt Ansible Vault files?

If you want to decrypt an Ansible Vault file enter the command ansible-vault decrypt <filename>

How do I bypass Ansible vault password?

If you want to not have to enter the Ansible vault password each time you run a playbook you can create a password file in a secure location and then specify the location of that file either in your playbook run command or in your ansible.cfg file.

Category:

Reader Interactions

Comments

  1. Hi Roger,

    Thanks for posting important vedio .
    I have a confusion if I want to use password as a variable and keep it in encrypted fro and declear in a task can I do that . Need your guidance for that and if yo

    Reply

    • I don’t exactly understand your question.

      Are you saying you want to use a password directly in your playbook?

      The idea with Vault is all your passwords are kept in group_vars or host_vars and then you encrypt the entire file.

      If you want to put the password in your playbook there is no way to hide / encrypt that?

      Let me know?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *